WLCG AuthZ Call

Thursday 28 Mar 2024, 16:00 → 17:00 Europe/Zurich

Previous Actions:

• Action, Maarten: to collate the changes for the profile, with ones to be made now and ones to be considered further
• Action, all: review profile changes as required.

Proposed agenda:

• Token Profile: Open Issues and PRs
  
  • https://github.com/WLCG-AuthZ-WG/common-jwt-profile/issues
     
  • https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pulls

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• 11 April 2024

Present: Angela, Berk, Dave D, Dimitrios, Federica, John, Julie, Linda, Maarten (notes), Mine, Roberta

Notes:

Maarten asks if there are topics people would like to discuss in this meeting, whose attendance may be low due its proximity to Easter holidays. John proposes the AUP issue seen by ATLAS since the IAM services were upgraded yesterday. Federica replies the current behavior is in fact correct: if the AUP was not signed, the given user must not be allowed to obtain proxies or tokens. There was a related bug that already got fixed in v1.8.1, but the CERN instances were running a much older version on each of the VOMS-AA endpoints until those were finally upgraded to v1.8.4 this week. Maarten thinks he remembers there was a VOMS importer bug that caused the AUP status not to be copied from VOMS-Admin and that Petr had to run curl commands to fix that, one account at a time. Earlier today, Petr asked the IAM experts if a command could be run directly on the DB to fix all remaining cases. After the meeting, the matter was looked into, but there was not enough time to conclude on a safe recipe still today. The trouble might still be resolved on Friday, which happens to be a CERN holiday, else next week. The situation can be quite annoying due to gratuitous error messages, but the VOMS client will then try one of the legacy VOMS servers instead and normally succeed after all. Maarten then adds that a VO admin should be able to update a user's AUP timestamp from the GUI, just like VOMS-Admin allows: he will open an issue for that as needed.

Maarten then informs the meeting that we will need to decide on which issues are deemed high-priority by the LHC experiments to get fixed during April and May, before the IAM services will also start getting used for VO management by the experiments. Petr had already pointed Maarten to a document in which he keeps track of issues relevant at least to ATLAS. Maarten intends to start a Google Doc bootstrapped with contents from that document.

Next, Berk describes what was done in yesterday's upgrades. A MySQL upgrade from 8.0.28 to 8.0.35 was forced upon us. We then looked into taking advantage of the downtime to see if IAM could be upgraded at the same time. The developers were able to cut the final 1.8.4 release on Monday, just in time for Berk to do an upgrade test and find that everything looked OK. Also the VOMS-AA endpoints were upgraded accordingly this time. The intervention for the ALICE instance ran into a problem with the DB-on-Demand infrastructure and has been postponed until April 4. Berk adds there was another issue reported by Petr: by default, local logins are disabled now in the GUI. The devs pointed us to the configuration option to get a new button enabled that gives access to the local login dialog. Petr felt it might better be hidden by default, to avoid potential confusion of users. An issue may then be opened to make this more configurable, but it does not look urgent. Maarten adds that 1.8.4 particularly fixes the security vulnerability that was present since years, viz. that clients using the client-credentials flow could be created anonymously, as was discovered by Steve Murray from the FTS team. Though it looks very unlikely for that feature to have been abusable in our infrastructure, there is no reason for us to support such functionality at all.

Next, Maarten reports he gave another token transition update talk in yesterday's GDB, adding we will have further presentations and discussions about the DC24 token experience as well as our status and plans during the WLCG / HSF workshop at DESY in the second week of May. After the meeting, Dave and Maarten agreed to have Vault + htgettoken & httokensh also presented in a WLCG Ops Coordination meeting, just like MyToken was on March 7.

The final item of this short meeting is about the WLCG token profile. Maarten intends to start merging most of the outstanding PRs in the coming days to help clear the issue backlog, but we will need to spend some time on the profile in upcoming AuthZ WG and possibly DOMA BDT meetings, to decide what will be in the next official version of our profile, presumably v2.0, and what will need to wait for hopefully minor revisions later. A new version does not need to have immediate consequences for the infrastructure, but does signal where we would want to go.